NT Priviledged User Responsibility Form

I. Introduction

II. Essential Responsibilities

1. Access does not imply authorization. Just having an administrator password for a machine does not imply that you may take any action that Windows NT will permit. For example, if you have administrator password on a server to examine system logs or assist in installing software, this does not imply authorization to change the configuration of the machine, to reboot the machine (even via power switch, except in emergencies (see item (5) below), or to add or remove user accounts, etc.

2. The privacy of electronic mail must be maintained in accordance with federal law, which essentially says that you should never read other people's mail. The law makes exceptions for emergency situations, and it is generally considered acceptable to look at mail headers (but not message bodies) for debugging purposes. Retrieving a copy of your own mail from someone else's mailbox is NOT allowed.

3. Do NOT bypass or change the access mode of a file or directory without first getting explicit permission from the file's owner.

4. Do NOT log in the NT build-in administrator account. Always use your own sysNNN account. This allows auditing of who is doing what as administrator.

   The NT build-in administrator account should be treated almost as if it did not exist. It should only be used when there is no other way to do something, not just when it's convenient. NT support has gone to a lot of effort to minimize the number of things that need to be done as "administrator" and they are always open to new suggestions. Please don't hesitate to make them.

5. The administrator password is not to be disclosed to anyone except in emergency situations. Whenever the administrator password is disclosed for any reason NT support (pcsupport) is to be notified immediately by e-mail, either by the administrator or by the person to whom it was disclosed (preferably both).

6. NT privileged accounts may only be authorized by Infotech group manager (mainly client administration) and worksupport group manager (mainly server administration).

7. Privileged users are NOT to do the following without explicit prior approval of the group managers or the designated primary administrators:
   • make any changes to registries on any NT systems
   • alter any files or file systems owned by "administrator";
   • alter permissions of files or file systems owned by "administrator";
   • add, remove or modify user accounts;
   • add, remove, or alter group files

8. Priviledged account should NOT be used from remote site.

III. Special groups of accounts

1. The "administrators" group

   All people who are normally authorized for a administrator account on SDSC NT systems are members of the NT administrator group.

2. The "techies" group

   All people who are interested in helping NT administration and testing work on SDSC NT systems are members of the NT technical group, which have read access on all administrative files.

3. "sysNNN" accounts

   These special accounts are intended to allow individuals to have privileged access on NT systems, for specifically-listed tasks. These tasks are expected to be strictly limited to the following:

   • install NT OS or applications on NT workstations
   • change mode and/or ownership of files belonging to:
     • expired accounts,
     • FTP area for all users,
     • shares for all users;
   • change mode and/or ownership of files belonging to an individual user, ONLY upon a request from that user;
   • examine system log files;
   • start, stop and restart printer queues;
   • properly reboot dedicated machines as needed;
   • archive users' files into Archival Storage upon request of the user or the SDSC Support (only in accordance with SDSC policy concerning disk usage and Acceptable Use of accounts).

The "sysNNN" accounts are privileged accounts and all users of such are strictly responsible for the rules listed in section II above, especially with respect to authorization of administrator's account.

IV. Agreement

(check only those apply)